00a94de3f03155e33cd26af750a739d61d0433e589a930a8faaf52abd0c84474

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 13:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

00a94de3f03155e33cd26af750a739d61d0433e589a930a8faaf52abd0c84474.exe
Size

53KB
MD5

07ece06e45fd24960c5a1fd165b1b33a
SHA1

9df37d5ac1206a7d338f29ee2b68d0cdb43fb0da
SHA256

00a94de3f03155e33cd26af750a739d61d0433e589a930a8faaf52abd0c84474
SHA512

b46064516549de8c7457138b4727ba51545add3db45be17c32e36272a9a0d9865198e99a7978a1cf37ca10f415e14a51a870b90b7229abbbbaee405cf34087ae
SSDEEP

768:lSRlBNRD1cKFwzoGE34GzjWwsIBdnAhir8LR8cCVbm3q5+55ZepHRON636bmprjY:QRfNPozoN4Gz64JAh2aReNmfTepP3GmK

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1772	1.exe
332	NTdhcp.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012313-56.dat	upx
behavioral1/files/0x000c000000012313-57.dat	upx
behavioral1/files/0x000c000000012313-58.dat	upx
behavioral1/files/0x000c000000012313-59.dat	upx
behavioral1/files/0x000c000000012313-61.dat	upx
behavioral1/files/0x000c000000012313-63.dat	upx
behavioral1/files/0x000a000000012318-64.dat	upx
behavioral1/files/0x000a000000012318-65.dat	upx
behavioral1/files/0x000a000000012318-67.dat	upx
behavioral1/memory/332-69-0x0000000000400000-0x0000000000417200-memory.dmp	upx
behavioral1/files/0x000a000000012318-68.dat	upx
behavioral1/memory/1772-71-0x0000000000400000-0x0000000000417200-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1600	00a94de3f03155e33cd26af750a739d61d0433e589a930a8faaf52abd0c84474.exe
1600	00a94de3f03155e33cd26af750a739d61d0433e589a930a8faaf52abd0c84474.exe
1600	00a94de3f03155e33cd26af750a739d61d0433e589a930a8faaf52abd0c84474.exe
1600	00a94de3f03155e33cd26af750a739d61d0433e589a930a8faaf52abd0c84474.exe
1772	1.exe
1772	1.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NTdhcp.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	NTdhcp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Deleteme.bat	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1772	1600	00a94de3f03155e33cd26af750a739d61d0433e589a930a8faaf52abd0c84474.exe	27
PID 1600 wrote to memory of 1772	1600	00a94de3f03155e33cd26af750a739d61d0433e589a930a8faaf52abd0c84474.exe	27
PID 1600 wrote to memory of 1772	1600	00a94de3f03155e33cd26af750a739d61d0433e589a930a8faaf52abd0c84474.exe	27
PID 1600 wrote to memory of 1772	1600	00a94de3f03155e33cd26af750a739d61d0433e589a930a8faaf52abd0c84474.exe	27
PID 1772 wrote to memory of 332	1772	1.exe	28
PID 1772 wrote to memory of 332	1772	1.exe	28
PID 1772 wrote to memory of 332	1772	1.exe	28
PID 1772 wrote to memory of 332	1772	1.exe	28
PID 1772 wrote to memory of 952	1772	1.exe	30
PID 1772 wrote to memory of 952	1772	1.exe	30
PID 1772 wrote to memory of 952	1772	1.exe	30
PID 1772 wrote to memory of 952	1772	1.exe	30

C:\Users\Admin\AppData\Local\Temp\00a94de3f03155e33cd26af750a739d61d0433e589a930a8faaf52abd0c84474.exe
"C:\Users\Admin\AppData\Local\Temp\00a94de3f03155e33cd26af750a739d61d0433e589a930a8faaf52abd0c84474.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\SysWOW64\NTdhcp.exe
    C:\Windows\system32\NTdhcp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\Deleteme.bat
    3⤵
    PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
25KB

MD5
0785aee499bf54a36db14cffad304b46

SHA1
ce8d68b53270ca2c950bd0be528307fef9a73f47

SHA256
f3e4fc359e19bdbe59cdb7e29040747872939fc39b31e2d7a5ee12e0dbd9e52c

SHA512
eabbaac4898de72411a0fa6364a4e3804c3d6b7bb2e66efe90d4097185580cce00813c104594361e39f37ed9d0cb921aee036b8c147f0c492d83c632f1f3fd12

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
25KB

MD5
0785aee499bf54a36db14cffad304b46

SHA1
ce8d68b53270ca2c950bd0be528307fef9a73f47

SHA256
f3e4fc359e19bdbe59cdb7e29040747872939fc39b31e2d7a5ee12e0dbd9e52c

SHA512
eabbaac4898de72411a0fa6364a4e3804c3d6b7bb2e66efe90d4097185580cce00813c104594361e39f37ed9d0cb921aee036b8c147f0c492d83c632f1f3fd12

Download Submit
C:\Windows\Deleteme.bat

Filesize
122B

MD5
d15f7378cdf005521f5e4089d5aaa8f2

SHA1
26f89a668c5b5942fdb53edfeb4c6654d1a64197

SHA256
c40b64dbde2d7a5ca1d04cd91b3974efb87ea126f1d9085c207b114fd1b74338

SHA512
49f280c5246cc3919129ef661f7e06830f37fcc6f324c1f8faa7156489001e33acbc0aa87df9a65eaa5751538feea708373b818c501c7afe2cad189834305137

Download Submit
C:\Windows\SysWOW64\NTdhcp.exe

Filesize
25KB

MD5
0785aee499bf54a36db14cffad304b46

SHA1
ce8d68b53270ca2c950bd0be528307fef9a73f47

SHA256
f3e4fc359e19bdbe59cdb7e29040747872939fc39b31e2d7a5ee12e0dbd9e52c

SHA512
eabbaac4898de72411a0fa6364a4e3804c3d6b7bb2e66efe90d4097185580cce00813c104594361e39f37ed9d0cb921aee036b8c147f0c492d83c632f1f3fd12

Download Submit
C:\Windows\SysWOW64\NTdhcp.exe

Filesize
25KB

MD5
0785aee499bf54a36db14cffad304b46

SHA1
ce8d68b53270ca2c950bd0be528307fef9a73f47

SHA256
f3e4fc359e19bdbe59cdb7e29040747872939fc39b31e2d7a5ee12e0dbd9e52c

SHA512
eabbaac4898de72411a0fa6364a4e3804c3d6b7bb2e66efe90d4097185580cce00813c104594361e39f37ed9d0cb921aee036b8c147f0c492d83c632f1f3fd12

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
25KB

MD5
0785aee499bf54a36db14cffad304b46

SHA1
ce8d68b53270ca2c950bd0be528307fef9a73f47

SHA256
f3e4fc359e19bdbe59cdb7e29040747872939fc39b31e2d7a5ee12e0dbd9e52c

SHA512
eabbaac4898de72411a0fa6364a4e3804c3d6b7bb2e66efe90d4097185580cce00813c104594361e39f37ed9d0cb921aee036b8c147f0c492d83c632f1f3fd12

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
25KB

MD5
0785aee499bf54a36db14cffad304b46

SHA1
ce8d68b53270ca2c950bd0be528307fef9a73f47

SHA256
f3e4fc359e19bdbe59cdb7e29040747872939fc39b31e2d7a5ee12e0dbd9e52c

SHA512
eabbaac4898de72411a0fa6364a4e3804c3d6b7bb2e66efe90d4097185580cce00813c104594361e39f37ed9d0cb921aee036b8c147f0c492d83c632f1f3fd12

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
25KB

MD5
0785aee499bf54a36db14cffad304b46

SHA1
ce8d68b53270ca2c950bd0be528307fef9a73f47

SHA256
f3e4fc359e19bdbe59cdb7e29040747872939fc39b31e2d7a5ee12e0dbd9e52c

SHA512
eabbaac4898de72411a0fa6364a4e3804c3d6b7bb2e66efe90d4097185580cce00813c104594361e39f37ed9d0cb921aee036b8c147f0c492d83c632f1f3fd12

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
25KB

MD5
0785aee499bf54a36db14cffad304b46

SHA1
ce8d68b53270ca2c950bd0be528307fef9a73f47

SHA256
f3e4fc359e19bdbe59cdb7e29040747872939fc39b31e2d7a5ee12e0dbd9e52c

SHA512
eabbaac4898de72411a0fa6364a4e3804c3d6b7bb2e66efe90d4097185580cce00813c104594361e39f37ed9d0cb921aee036b8c147f0c492d83c632f1f3fd12

Download Submit
\Windows\SysWOW64\NTdhcp.exe

Filesize
25KB

MD5
0785aee499bf54a36db14cffad304b46

SHA1
ce8d68b53270ca2c950bd0be528307fef9a73f47

SHA256
f3e4fc359e19bdbe59cdb7e29040747872939fc39b31e2d7a5ee12e0dbd9e52c

SHA512
eabbaac4898de72411a0fa6364a4e3804c3d6b7bb2e66efe90d4097185580cce00813c104594361e39f37ed9d0cb921aee036b8c147f0c492d83c632f1f3fd12

Download Submit
\Windows\SysWOW64\NTdhcp.exe

Filesize
25KB

MD5
0785aee499bf54a36db14cffad304b46

SHA1
ce8d68b53270ca2c950bd0be528307fef9a73f47

SHA256
f3e4fc359e19bdbe59cdb7e29040747872939fc39b31e2d7a5ee12e0dbd9e52c

SHA512
eabbaac4898de72411a0fa6364a4e3804c3d6b7bb2e66efe90d4097185580cce00813c104594361e39f37ed9d0cb921aee036b8c147f0c492d83c632f1f3fd12

Download Submit
memory/332-69-0x0000000000400000-0x0000000000417200-memory.dmp

Filesize
92KB

Download
memory/1600-62-0x0000000000400000-0x000000000040EDCA-memory.dmp

Filesize
59KB

Download
memory/1600-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1600-55-0x0000000000400000-0x000000000040EDCA-memory.dmp

Filesize
59KB

Download
memory/1772-71-0x0000000000400000-0x0000000000417200-memory.dmp

Filesize
92KB

Download